Privacy Breaches

Policy

We are committed to acting in the best interests of our patients and understand our obligations under the Privacy Act 2020 to respond as soon as possible to any privacy breach. We are obligated to notify the Office of the Privacy Commissioner | Te Mana Mātāpono Matatapu of any breach of privacy that has caused, or is likely to cause, serious harm to anyone.

If a notifiable privacy breach occurs:

the practice must inform the affected people as soon as practically possible
any staff members who become aware of the breach should inform the privacy officer as soon as possible.

Notifiable privacy breaches and "near misses" are discussed at practice meetings to identify any opportunities to improve systems and reduce the likelihood of breaches happening again.

Managing a privacy breach

Refer to Privacy Commissioner | Te Mana Mātāpono Matatapu: Responding to privacy breaches and Privacy Breach Guidelines

The privacy officer manages privacy breaches, and any follow-up actions.

1.	Contain the breach: Find out what happened and act immediately to try to contain it. Inform the privacy officer or other appropriate staff member who can start an initial investigation. If the breach involves theft or other criminal activity, notify the police.
2.	Assess the breach: Use the online NotifyUs tool to assess the seriousness of the breach. This can help you decide your next steps. When assessing the seriousness of a breach, you might consider: types of personal information involved what the personal information might show if the personal information is easy to access cause of the breach extent of the breach potential harm resulting from the breach who holds the information now. Source: Privacy Commissioner \| Te Mana Mātāpono Matatapu No information is stored during the self-assessment, and a notification is only sent to the Privacy Commissioner \| Te Mana Mātāpono Matatapu if you choose to submit one.
3.	Notify the breach: If it is likely to cause serious harm, tell the affected people as soon as possible, so that they can take action to protect themselves. Recommended ways of notifying people directly are by: phone letter email in person. Sending a message using an indirect platform or notification, such as through a website or company email, is not recommended. If it's a serious breach, submit a Privacy Breach Report Form to the Office of the Privacy Commissioner \| Te Mana Mātāpono Matatapu, as soon as you are practically able, and ideally within 72 hours. If computer systems are involved, you may need to report a cyber incident..
4.	Prevent future breaches: Once the breach is resolved, investigate the cause and ways to prevent it happening again. Review your IT Security plan after a breach, and take steps to update it if necessary.

Page Information

Last reviewed Last review: The date this page last had a comprehensive review by the GPDocs team. See the review schedule.	June 2024
Next review Next review: The date this page will next be reviewed by all GPDocs practices. See the review schedule.	April 2027
Topic type Topic Types There are two topic types: Core content Text outside the yellow highlighting (as shown on the model site) is there for compliance, legislation, or best practice. The text is not normally changed. Core content is continually reviewed and kept up to date. Customised Core content on this page has been changed on request by the practice. Customised topics must be reviewed and updated by the practice because they are not automatically updated by GPDocs.	Core content
Approved By:	Key Contact
Topic ID:	14066

Site Links

About us

Logout

Contact

Phone: 0800 473 627
Email: support@gpdocs.co.nz

Privacy Breaches

Page Information

Last review:

Next review:

Topic Types

Site Links

About us

Contact